Cynic submission OnFileQueryFail with sandbox result ERROR_SANDBOX_QUERY_FAIL error code 0x80010116
Article ID: 219594
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
ERROR_SANDBOX_QUERY_FAIL unable to submit file to sandbox. You are unable to submit a file for analysis to the on premise Content Analysis Server (CAS) configured in EDR.
Environment
- EDR 4.x
- CASMA appliance
- CASMA = Content Analysis Server Malware Analysis
- Could be called a CA Server, CAS server, or Content Analysis Server.
Cause
sandbox result ERROR_SANDBOX_QUERY_FAIL error code 0x80010116The cynic submission OnFileQueryFail and the above error are caused by an incorrect or outdated token that SEDR is attempting to use for communication with the on premise CAS appliance that is configured for sandbox analysis.
Resolution
- On SEDR web console, as an admin level user, go to Settings > Appliances > Click on the appliance to view its settings.
NOTE: Do not click on the 'Edit Default Appliance' button. - Ensure the 'Use Default' box is not checked under sandboxing.
- Edit Sandbox Settings.
- Select 'Symantec Cynic (cloud-based sandboxing)' from drop down.
- Click Save.
- Edit Sandbox Settings.
- Select 'Symantec Content Analysis (on-premise sandboxing)' from drop down and enter the appropriate configuration and token for your CASMA appliance.
Additional Information
- The SEDR engineering team is committed to improving the user interface in later releases of the SEDR software in an effort to improve the user experience.
- When configuring the sandbox settings and if use default checkbox is enabled EDR will apply the template from the default appliance. This template is not necessary in the implementation of a single EDR appliance and it could cause communication issues between EDR and the CASMA appliance you have implemented in your environment. For environments with only one EDR appliance using the default template is not necessary and support recommends avoiding its use where possible.
Feedback
Yes
No
Powered by
